Logging Solution as per IRDAI Guidelines: Building a Compliance Architecture

India faced nearly 370 million malware attacks in 2024 with the insurance sector among the top targets. IRDAI’s Information and Cyber Security Guidelines (CS Guidelines 2023), directly address this threat through Policy 2.16, which mandates active maintenance and monitoring.

This blog breaks down what Policy 2.16 requires at source, why 180 days of storage is necessary but not sufficient, and what a 6-hour-ready logging architecture looks like for insurers and intermediaries.

What IRDIA Policy mandates

Two sub-provisions in the IRDAI circular define the core logging obligation.

1. The 180-day log mandate

All ICT infrastructure and application logs must be maintained and monitored for a rolling period of 180 days. The governing words here are “maintained” and “monitored” and not just stored. The CS Guidelines 2023 (Accountability principle) further states that all organization systems must generate and maintain appropriate audit trails to identify users, IT assets and document security-related events.

Another Section 1.6 further specifies that logs of application and IT infrastructure must be collected and analysed by a 24/7 Security Operations Centre (SOC) team.

Passive log archives fail this standard. Active, continuous analysis is what the guidelines require.

2. NTP synchronization

All relevant information processing systems must synchronize their clocks with the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers traceable to these. Without consistent, verifiable timestamps, log correlation fails and your incident evidence becomes unreliable under investigation. A log showing an event time of 14:23 means nothing if the source system clock was running 40 minutes behind every other system in your environment.

The 6-hour reporting obligation

Logging compliance cannot be separated from incident response. The policy mandates that regulated entities report any cyber incident to IRDAI in the prescribed format within 6 hours of noticing or being brought to notice. The same 6-hour window applies to CERT-In reporting. These are separate, simultaneous obligations. But reporting to one does not satisfy the other.

To file a defensible 6-hour incident report, your logging infrastructure must already have the evidence assembled before the clock starts. That means pre-correlated logs, a searchable SIEM and a pre-built evidence template mapped to IRDAI’s prescribed incident report format, all ready before an incident occurs, not assembled reactively under pressure.

What “ICT infrastructure and application logs” covers in practice

Policy 2.16 uses the phrase “ICT infrastructure and application logs” without enumerating specific systems. Applying Section 1.2’s scope (which covers all data across all information assets regardless of form) and the governance obligations for SOC coverage, a compliant logging stack in an insurance entity should capture logs from:

• Network devices: firewalls, routers, switches and intrusion detection or prevention systems
• Endpoints: servers, workstations and laptops, ideally with EDR telemetry feeding the SIEM
• Core insurance systems: policy administration, claims management and underwriting platforms
• Customer-facing applications: web portals, mobile apps and API gateways
• Identity and access systems: Active Directory, IAM platforms and privileged access management tools
• Third-party and TPA connections: vendor access logs and TPA portal activity
• Cloud workloads: where applicable, subject to India data localisation requirements

The CS Guidelines 2023 explicitly require insurers to ensure that third parties follow the same minimum security framework. Third-party vendor access logs are not optional additions, they are within the scope of Policy 2.16.

The forensic independence requirement and your logging stack

The IRDAI March 2025 circular explicitly prohibits a conflict of interest: the vendor handling your SOC, attack surface monitoring or cybersecurity functions cannot also serve as the forensic auditor for an incident investigation involving the same entity. IRDAI mandates that regulated entities pre-empanel certified forensic experts before an incident occurs.

This creates a specific architectural consequence. Your logs must be stored in a tamper-evident, independently accessible format that an external forensic expert can retrieve and work with – without requiring access to live SOC systems or the operational logging environment. Write-once (WORM) storage, documented export procedures and role-based access that separates forensic retrieval from SOC operations are the architectural controls this mandate demands.

The pre-empanelment requirement also reframes incident readiness timelines. Your forensic expert must be contracted and briefed in advance – not sourced reactively with the 6-hour clock already running.

What a 6-hour-ready logging architecture looks like

Satisfying Policy 2.16 and genuinely meeting the 6-hour evidence standard requires six capabilities working together in your logging stack:

• Centralised ingestion: all ICT and application log sources feeding a single SIEM in real time, with no gaps in coverage
• NTP-synchronized timestamps: every log source synced to NIC or NPL servers, with automated drift detection and alerting
• 24×7 active monitoring: SIEM correlation rules running continuously with incident classification logic pre-configured
• Pre-built IRDAI evidence templates: log correlation packaged into the prescribed incident report structure on demand
• WORM or tamper-evident storage: write-protected log archives with a minimum one-year retention policy
• Forensic-accessible export: evidence retrievable by pre-empanelled external forensic experts without SOC system access

Organizations already running a Full Stack Observability platform have a meaningful head start, centralized log ingestion and infrastructure coverage are already in place. The delta is configuring SIEM correlation rules for insurance-specific incident classification, building the IRDAI evidence template and confirming NTP synchronization is documented and monitored across every log source.

Conclusion

IRDAI’s logging mandate is explicit: 180-day rolling retention, NTP synchronization to NIC or NPL, and 24/7 active monitoring by the SOC. But what separates compliant from incident-ready is the 6-hour evidence window. Storage satisfies the letter of Policy 2.16. A centralised, correlated, NTP-synchronized, forensic-exportable logging stack satisfies its purpose.

Every insurer, TPA, broker and web aggregator under IRDAI’s purview carries this obligation. And with DPDP’s one-year retention floor now the governing standard for policyholder data, the right time to build the architecture is before the next incident – not after the clock has started.

At CyberNX, we help IRDAI regulated entities design and deploy logging solutions that satisfy Policy 2.16, meet the 6-hour evidence standard and pass IRDAI’s annual cyber assurance audit. Connect with our team to build a logging stack that holds up when it matters most.

Logging solution as per IRDAI guidelines FAQs

What is the exact log retention period under IRDAI Policy 2.16?

Para 3.3(I) of Policy 2.16 mandates a rolling period of 180 days for all ICT infrastructure and application logs. However, DPDP Rules 2025 (Rule 8(3)) require a minimum of one year for personal data and associated processing logs – which applies to all insurance entities processing policyholder data. The longer obligation governs. Build your architecture around one year as the baseline.

Does IRDAI require logs to be stored within India?

Yes, with scope variations. For non-insurer regulated entities – TPAs, brokers, web aggregators and insurance marketing firms – the CS Guidelines 2023 explicitly require ICT infrastructure logs to be stored within India. For insurers, the same obligation applies under IRDAI’s regulations on insurance e-commerce and records maintenance. Confirm your logging infrastructure meets Indian data localisation requirements before onboarding all log sources.

Can the same vendor manage both the SOC and the forensic investigation under IRDAI?

No. The IRDAI March 2025 circular explicitly prohibits this conflict of interest. The vendor handling SOC operations, attack surface monitoring or any cybersecurity function cannot serve as the forensic auditor for an incident involving the same entity. Pre-empanel a separate, certified forensic expert and ensure your logs are independently exportable to them without SOC access.